“Dexter” malware steals credit card data from point-of-sale terminals

Hundreds of businesses around the world infected.

Enlarge / Administration panel for Dexter, a malicious application that steals credit card data from point-of-sale systems. The malware was recently found on hundreds of computers around the world.

Seculert

A researcher has uncovered new malware that steals payment card data from point-of-sale terminals used by stores, hotels, and other businesses.

Dexter, as the malware is called, has infected hundreds of point-of-sale computers at big-name retailers, hotels, restaurants, and other businesses, according to a report issued by Aviv Raff, chief technology officer of Israel-based security firm Seculert. Businesses infected in the past three months are located in 40 different countries, with 30 percent of those compromised located in the US, 19 percent in the UK, and nine percent in Canada. Malware that infects point-of-sale terminals can be one of the most efficient ways to carry out payment card fraud because it targets machines with access to large amounts of the required data.

"Instead of going through the trouble of infecting tens of thousands of PCs or physically installing a skimmer, an attacker can achieve the same results by targeting just a few POS systems with specially crafted malware," Raff wrote. "Dexter is one example of such malware."

Dexter has infected systems running a variety of different versions of Windows, including XP, Home Server, Server 2003, and Windows 7. Once installed, Dexter uploads the contents of computer memory to a server located in the Republic of Seychelles. An online parsing tool then attempts to ferret out Track 1 and Track 2 card data processed by various POS applications. The data is then retrieved by the malware operators, presumably for the purpose of cloning payment cards. More on Dexter here.

It remains unclear how POS systems are infected by Dexter, which gets its name from a string of text found in one of its files. The large percentage of infected Windows servers suggests Web-based exploits and social engineering traps aren't likely vectors, since those types of machines typically aren't used to browse Web pages. Raff declined to identify the businesses infected by the malware.

Promoted Comments

I used to work at Target not too long ago and the registers there run a modified version of Windows XP with custom load screens and there's tons of registers there that are unmanned at various times. You can easily slip by, stab in a USB drive to the front ports and force a reboot and no one is the wiser. The same can be done at the electronics register because there's normally just 1 or 2 ppl manning that area. That's the downside of taking off the shelf parts and software and just repurposing.

Target, and a lot of other places, have software running on the backend that would detect things like that. From there they turn to their security cams and then you will have some explaining to do.

If you want to pull off a POS hack aim for small restaurants or franchises.

I work for a company that produces retail analytics software, and we have software agents that run on tills. I could write pages of gripes about EPOS software and tills.

The majority of tills we see are XP based, though we have encountered tills running NT4 and 98SE. These machines are rarely patched, auto-updates are generally turned off and there isn't any form of centralised patch management. In addition to this, a lot of them do not run any form of AV.

I'm only surprised that it's taken this long for malware that specifically targets tills to surface. I'm even more surprised that they're not more common.

The first thing I notice is that the majority of the compromised systems were running Windows XP and Home Server. Of the few Windows 7 machines they were all 32-bit operating systems. So of the 30+ systems shown in the screenshot every single one except 1 was a 32-bit system. The single 64-bit system was Windows 7 and appears to have been using an outdated Mozilla browser. I am going to guess the system was not fully patched.

Most of the other compromised systems used the default "Administrator" account. My guess the majority of the systems in question were not configured the correct way.

karolus wrote:

Being that the infected machines are (presumably) single-purpose, I wonder how often they are updated/patched...

You would think making sure your Point of Sales machine was properly configured and kept secure and thus "up and running" would be a top priority of these companies. Clearly based on the usernames that isn't the case.

Most of the other compromised systems used the default "Administrator" account. My guess the majority of the systems in question were not configured the correct way.

Based on experience, I'm guessing this is the configuration demanded by the POS software vendor. You'd bang your head bloody over the number of fights I've had with vendors over them demanding domain admin rights or wanting to run logged in as Administrator.

Agreed with the above posters. My gripe is why, coming from a major enterprise environment, do we in IT always get underfunded, scrape by with what resources we have, and constantly explain to those managers who hold the dollars how important it is to stay above the power curve in IT these days? IT is not a cost center anymore, it's a critical part of any business infrastructure. Make it work now and correct later to save a buck or two just spells bad news down the road.

Agreed with the above posters. My gripe is why, coming from a major enterprise environment, do we in IT always get underfunded, scrape by with what resources we have, and constantly explain to those managers who hold the dollars how important it is to stay above the power curve in IT these days? IT is not a cost center anymore, it's a critical part of any business infrastructure. Make it work now and correct later to save a buck or two just spells bad news down the road.

IT is like paying the rent now. People still complain about paying the rent.

I used to work at Target not too long ago and the registers there run a modified version of Windows XP with custom load screens and there's tons of registers there that are unmanned at various times. You can easily slip by, stab in a USB drive to the front ports and force a reboot and no one is the wiser. The same can be done at the electronics register because there's normally just 1 or 2 ppl manning that area. That's the downside of taking off the shelf parts and software and just repurposing.

How did they find out that they were infected is what I'd like to know? I am a huge aceptic of Security Analysts as they usually have something to sell and so they're quick to exaggerate although this one sounds gnarley.

100% on the admin rights requirement from POS vendors on the client machines and I gave up on that fight years. Finance systems like GP or Peachtree are better but Intuit or Celerant are horrible in this way. Bored staff and systems with admin rights are a recipe for Malware soup.

I used to work at Target not too long ago and the registers there run a modified version of Windows XP with custom load screens and there's tons of registers there that are unmanned at various times. You can easily slip by, stab in a USB drive to the front ports and force a reboot and no one is the wiser. The same can be done at the electronics register because there's normally just 1 or 2 ppl manning that area. That's the downside of taking off the shelf parts and software and just repurposing.

Target, and a lot of other places, have software running on the backend that would detect things like that. From there they turn to their security cams and then you will have some explaining to do.

If you want to pull off a POS hack aim for small restaurants or franchises.

You would think making sure your Point of Sales machine was properly configured and kept secure and thus "up and running" would be a top priority of these companies. Clearly based on the usernames that isn't the case.

Hahaha. You'd think, but it couldn't be further from the truth. In retail, point of sale software (and IT in general) is seen as overhead and companies cut expenses down to the bone. If that beige box running Windows XP keeps chugging along for over a decade, why touch it? It could be running an insecure, unsupported OS and stuffed to the gills with malware but so long as it doesn't prevent sales and customers don't complain, nobody cares.

Agreed with the above posters. My gripe is why, coming from a major enterprise environment, do we in IT always get underfunded, scrape by with what resources we have, and constantly explain to those managers who hold the dollars how important it is to stay above the power curve in IT these days? IT is not a cost center anymore, it's a critical part of any business infrastructure. Make it work now and correct later to save a buck or two just spells bad news down the road.

IT is like paying the rent now. People still complain about paying the rent.

But they ultimately do it, rather than saying, "Oh, Devin, just sleep in the car for another quarter."

Agreed with the above posters. My gripe is why, coming from a major enterprise environment, do we in IT always get underfunded, scrape by with what resources we have, and constantly explain to those managers who hold the dollars how important it is to stay above the power curve in IT these days? IT is not a cost center anymore, it's a critical part of any business infrastructure. Make it work now and correct later to save a buck or two just spells bad news down the road.

Welcome to the entire world of business. The people at the top of the pyramid could give a shit about these kinds of things. So long as the absolute, bare minimum is done to keep the gravy train running, that's all that needs to be done. It's quite likely its as it was described by Ed Norton's character in Fight Club when he explains "the formula". They calculate the cost of failures and weigh that against the cost of preventing them in the first place. If the failure cost is cheaper, then that's what they do. Of course, if you, as a customer, happen to suffer in some way, such as getting your credit card or identity stolen, or grandma dies because the brakes on the car failed, who cares? The share holders and the board members have far more important concerns than your suffering.

Unfortunately, its how it is. Barring complete revolution, the beast is now "to big to fail" and everyone from you, to grandma, to politicians are all lined up to feed the machine.

I work for a company that produces retail analytics software, and we have software agents that run on tills. I could write pages of gripes about EPOS software and tills.

The majority of tills we see are XP based, though we have encountered tills running NT4 and 98SE. These machines are rarely patched, auto-updates are generally turned off and there isn't any form of centralised patch management. In addition to this, a lot of them do not run any form of AV.

I'm only surprised that it's taken this long for malware that specifically targets tills to surface. I'm even more surprised that they're not more common.

Agreed with the above posters. My gripe is why, coming from a major enterprise environment, do we in IT always get underfunded, scrape by with what resources we have, and constantly explain to those managers who hold the dollars how important it is to stay above the power curve in IT these days? IT is not a cost center anymore, it's a critical part of any business infrastructure. Make it work now and correct later to save a buck or two just spells bad news down the road.

Read about it. 99.99% of todays' companies have no understanding of it or of the issue that arise from taking it on. They feel the problems, classify it improperly and then build processes to address the problem of technical debt without ever fully understanding it.

Yet another reason PCI regulations need to be more strictly enforced. Transaction processing terminals should not run a generic OS, they shoudl run a custom or appliance-like OS not subject to general viruses, and should be secured to strict federal government standards, and should not have general internet connectivity at all (explicit firewall rules limiting connectivity only to essential business services, and no HTTP/email/etc used on those terminals at all). PoS terminals should not be used for ANY business practices other than processing payments and sales inventory tasks.

Besides withdrawing from the world, what can I do to protect myself from POS attacks?

besides checking your bank statement regularly, limiting the funds that can be used in a single purchase/day before your card company flags you, or just using cash? You really don't.

Point of Sale hacks don't target you, they target the machine behind the counter when you swipe your card. You have no control over that machine besides your willingness to hand over your card to the person operating it.

Agreed with the above posters. My gripe is why, coming from a major enterprise environment, do we in IT always get underfunded, scrape by with what resources we have, and constantly explain to those managers who hold the dollars how important it is to stay above the power curve in IT these days? IT is not a cost center anymore, it's a critical part of any business infrastructure. Make it work now and correct later to save a buck or two just spells bad news down the road.

Welcome to the entire world of business. The people at the top of the pyramid could give a shit about these kinds of things. So long as the absolute, bare minimum is done to keep the gravy train running, that's all that needs to be done. It's quite likely its as it was described by Ed Norton's character in Fight Club when he explains "the formula". They calculate the cost of failures and weigh that against the cost of preventing them in the first place. If the failure cost is cheaper, then that's what they do. Of course, if you, as a customer, happen to suffer in some way, such as getting your credit card or identity stolen, or grandma dies because the brakes on the car failed, who cares? The share holders and the board members have far more important concerns than your suffering.

Unfortunately, its how it is. Barring complete revolution, the beast is now "to big to fail" and everyone from you, to grandma, to politicians are all lined up to feed the machine.

Regulation works in many industries. Banking, medical, insurance, etc. Apply PCI compliance laws to ANY terminal that accept payemnts, make it the law, and make the punishments for non-compliance SEVERE. When IT can go to the board and say: this law requires we do X. We can do it on our own maches for $Y, or push the responsibility to Z company for $y, but we still have to do minimum security compliance, and can be subject to spot audits once every 18 months with no warning. If we violate, we have to pay each victim $A, plus a fine of $BBB is we are not compliant. Compliance costs 1/100th of $BBB, but requires a 20% increase in IT funding this year, and 10% each year therafter.

When spending $400 more for compliant software, a hardened OS, proper auditing, labor overhead per machine, for say 500 machines ($200K) stands in the face of potential tens of millions in fines for non-compliance, companies cough up the IT funds. When contracts are at stake like medicare or TRICare, let me tell you, insurance companies play ball and cough up the machine security costs without blinking, as non-compliance anso means they can't participate in the next bid and could lose 5+ years of revenue entirely. Banks can simply be shut down. Put it on thwe credit card processing companies to ensure compliance from their subscribers, and if the government finds some retail outlet' or MomnPop PoS system is non-compliant, they can order the credit processing company to simply stop taking all payments from that company, now your essentailyl telling Mom n pop they need to spend a couple grand as a business cost, or outsource/lease that system and offset responsibility to a 3rd party. Those little phone-plug credit card machines: they don;t get viruses. Hand keying a approval code into a register costs less than integrating copmpliance and security on the small scale. Securing the register and not outsourcing those services is more cost effective on the large scale, but if we're not incentivising compliance, while concurrently mandating minimum consumer protections, they just won't do it.

I made a lot of money making small doctors offices compliant with IT requirements in the early 2Ks. Some of them had to spend $20+K on new systems and software. Guess what, they all did it with little complaint, because NOT complying meant they could not accept payments for their services from insurance companies, so complying cost less than not complying, and they did it, begridgingly but they did it.

The first thing I notice is that the majority of the compromised systems were running Windows XP and Home Server. Of the few Windows 7 machines they were all 32-bit operating systems. So of the 30+ systems shown in the screenshot every single one except 1 was a 32-bit system. The single 64-bit system was Windows 7 and appears to have been using an outdated Mozilla browser. I am going to guess the system was not fully patched.

Most of the other compromised systems used the default "Administrator" account. My guess the majority of the systems in question were not configured the correct way.

At the risk of making things look more depressing, here's some insight from someone who has worked in a payment startup in which we wrote software that integrated with these POS systems:

In your typical fast food restaurant, you have one or two POS terminals. These POS terminals are unable to commit financial transactions themselves. They must connect to some middleware written by one of several dozen or hundreds of middleware companies out there. This middleware is typically installed on a server in an office in the restaurant. I'm guessing-- but I am not positive of this, never having had the opportunity to work with hospitality-- that hotels operate similarly.

These POS machines are also typically underpowered and barely able to run the POS software. This typically means that anti-virus software is most definitely out. I've actually tried to install anti-virus software one one of these machines, and the poor thing slowed down to an unusable crawl.

In the best-case scenario, the middleware servers that the POS machines connect to are only serve one function: to send and receive credit card transactions. However, I've found that typically, these fast food restaurants are unwilling to spend the money to add a second computer in the manager's office. As a result, these servers also double as the computer used by the managers for bookkeeping, security camera software, email, youtube, internet, and non-work related activity.

Yes, these servers typically have monitoring software to prevent unauthorized applications from being installed, but when has that stopped a well-written virus or trojan?

Now, comes the really depressing part: In order to reduce the cost of maintaining the POS's and middleware servers, the resellers of POS systems typically install remote desktop software like GoToMyPC on every POS and server. In order to simplify things even further, these resellers typically use the same user and password for all their customers. This is probably why the screenshot shows the same user and password on the compromised machines.

I used to work at Target not too long ago and the registers there run a modified version of Windows XP with custom load screens and there's tons of registers there that are unmanned at various times. You can easily slip by, stab in a USB drive to the front ports and force a reboot and no one is the wiser. The same can be done at the electronics register because there's normally just 1 or 2 ppl manning that area. That's the downside of taking off the shelf parts and software and just repurposing.

Target, and a lot of other places, have software running on the backend that would detect things like that. From there they turn to their security cams and then you will have some explaining to do.

If you want to pull off a POS hack aim for small restaurants or franchises.

I'm not so sure. I recently had fraudulent charges on both my debt and credit cards. The only place I had used both in months was my local Target. Luckily, I caught the charges within 2 days of them being made and the bank refunded me. I wondered about talking to the store manager but I figured I'd be ignored due to lack of proof.

I used to work at Target not too long ago and the registers there run a modified version of Windows XP with custom load screens and there's tons of registers there that are unmanned at various times. You can easily slip by, stab in a USB drive to the front ports and force a reboot and no one is the wiser. The same can be done at the electronics register because there's normally just 1 or 2 ppl manning that area. That's the downside of taking off the shelf parts and software and just repurposing.

No, that's the downside of making the USB ports readily accessible. Security through obscurity is one of the greatest myths, costly custom hardware/software can be compromised. Even the most secure closed systems available on the open market can be purchased by hackers just as easily as anybody else.

I JUST had this happen to me this weekend. Someone created a PHYSICAL CLONE of my card, and went on an alcohol shopping spree. The worst part is, it was my "Check Card" which means that money is gone until my bank reimburses me.

Is there a list of infected systems so I can figure out which one it may have been stolen from? (One that isn't blurred out like the linked image.)

I used to work at Target not too long ago and the registers there run a modified version of Windows XP with custom load screens and there's tons of registers there that are unmanned at various times. You can easily slip by, stab in a USB drive to the front ports and force a reboot and no one is the wiser. The same can be done at the electronics register because there's normally just 1 or 2 ppl manning that area. That's the downside of taking off the shelf parts and software and just repurposing.

No, that's the downside of making the USB ports readily accessible. Security through obscurity is one of the greatest myths, costly custom hardware/software can be compromised. Even the most secure closed systems available on the open market can be purchased by hackers just as easily as anybody else.

sure, no external usb slots = no easy bootable usb stick, no optical drive = no booting from that.But custom hardware is normally slightly more difficult or at least more costly to obtain....It's not a solution, but it's an extra barrier.

I work for a company that produces retail analytics software, and we have software agents that run on tills. I could write pages of gripes about EPOS software and tills.

The majority of tills we see are XP based, though we have encountered tills running NT4 and 98SE. These machines are rarely patched, auto-updates are generally turned off and there isn't any form of centralised patch management. In addition to this, a lot of them do not run any form of AV.

I'm only surprised that it's taken this long for malware that specifically targets tills to surface. I'm even more surprised that they're not more common.

Considering that these machines get little to no software maintenance, unless the malware floods their network or the machine fails to compete sales, these can go infected for years without notice. And even if the company does find out, they'd find it in their best interest to quietly bury the incident and pretend it never happened.

So no, I'm not at all surprised we don't know much about this kind of malware, and we have no idea how common they are.

I used to work at Target not too long ago and the registers there run a modified version of Windows XP with custom load screens and there's tons of registers there that are unmanned at various times. You can easily slip by, stab in a USB drive to the front ports and force a reboot and no one is the wiser. The same can be done at the electronics register because there's normally just 1 or 2 ppl manning that area. That's the downside of taking off the shelf parts and software and just repurposing.

No, that's the downside of making the USB ports readily accessible. Security through obscurity is one of the greatest myths, costly custom hardware/software can be compromised. Even the most secure closed systems available on the open market can be purchased by hackers just as easily as anybody else.

sure, no external usb slots = no easy bootable usb stick, no optical drive = no booting from that.But custom hardware is normally slightly more difficult or at least more costly to obtain....It's not a solution, but it's an extra barrier.

The extra cost doesn't matter all that much considering the potential payout from either compromising POS systems for your own gain or selling the hacks on the black market.

Regulation works in many industries. Banking, medical, insurance, etc. Apply PCI compliance laws to ANY terminal that accept payemnts, make it the law, and make the punishments for non-compliance SEVERE. When IT can go to the board and say: this law requires we do X. We can do it on our own maches for $Y, or push the responsibility to Z company for $y, but we still have to do minimum security compliance, and can be subject to spot audits once every 18 months with no warning. If we violate, we have to pay each victim $A, plus a fine of $BBB is we are not compliant. Compliance costs 1/100th of $BBB, but requires a 20% increase in IT funding this year, and 10% each year therafter.

When spending $400 more for compliant software, a hardened OS, proper auditing, labor overhead per machine, for say 500 machines ($200K) stands in the face of potential tens of millions in fines for non-compliance, companies cough up the IT funds. When contracts are at stake like medicare or TRICare, let me tell you, insurance companies play ball and cough up the machine security costs without blinking, as non-compliance anso means they can't participate in the next bid and could lose 5+ years of revenue entirely. Banks can simply be shut down. Put it on thwe credit card processing companies to ensure compliance from their subscribers, and if the government finds some retail outlet' or MomnPop PoS system is non-compliant, they can order the credit processing company to simply stop taking all payments from that company, now your essentailyl telling Mom n pop they need to spend a couple grand as a business cost, or outsource/lease that system and offset responsibility to a 3rd party. Those little phone-plug credit card machines: they don;t get viruses. Hand keying a approval code into a register costs less than integrating copmpliance and security on the small scale. Securing the register and not outsourcing those services is more cost effective on the large scale, but if we're not incentivising compliance, while concurrently mandating minimum consumer protections, they just won't do it.

I made a lot of money making small doctors offices compliant with IT requirements in the early 2Ks. Some of them had to spend $20+K on new systems and software. Guess what, they all did it with little complaint, because NOT complying meant they could not accept payments for their services from insurance companies, so complying cost less than not complying, and they did it, begridgingly but they did it.

Which is why big businesses hate regulations. They see them as damage to their profit model that needs to be eliminated or routed around. If a such a proposed regulation would cost them $50 million to overhaul their POS systems with a perceived 0% ROI beyond regulation cost, they'll prefer shelling out $1 million in "campaign donations" to make sure the proposal dies in committee.

I work for a company that produces retail analytics software, and we have software agents that run on tills. I could write pages of gripes about EPOS software and tills.

The majority of tills we see are XP based, though we have encountered tills running NT4 and 98SE. These machines are rarely patched, auto-updates are generally turned off and there isn't any form of centralised patch management. In addition to this, a lot of them do not run any form of AV.

I'm only surprised that it's taken this long for malware that specifically targets tills to surface. I'm even more surprised that they're not more common.

From the retailer side, I can tell you that my POS vendor purposely shuts off security features and OS updates because they "interfere" with the functioning of the POS software.

My vendor does too little patch management for the POS, no patch management for the OS, nor do they certify or recommend security appliances or antivirus packages.

I've walked into my stores and found my antivirus software uninstalled because it was perceived to be a problem by a service tech. After which, I informed them that I could take my business elsewhere.

The POS system still relies on inherently insecure Windows file sharing, which means a worm can traverse my network in no time flat. And don't get me started about them using WEP and stupidly easy passwords on WiFi.

The POS lanes also uses super-slow hardware, with too little memory, making it nearly impossible to run AV, or other security, on the lanes.

I impose security constraints on them, as much as I can. I am contemplating splitting my networks, and isolating the POS as much as possible.

Frankly, with my POS vendor taking the anti-security stands that they do, some of which are in direct defiance of PCI, I'm not quite sure which way to go.

Besides withdrawing from the world, what can I do to protect myself from POS attacks?

Well, paying in cash would protect you here. ATMs could also be rigged, but you can minimize your exposure there by using ATMs inside the bank or speaking directly to a teller.

Disclosure: I do none of these things. I rely on the credit card companies to detect fraud and automatically cancel/reissue my card with a new number. This happens to me on a fairly regular basis every year or two and have never been liable for a charge. No idea if it's just teenagers generating random card numbers or a sophisticated spy ring operation but this approach has worked for me.

So, once upon a time I worked at a software company that was attempting to write POS terminal stuff, as well as bank teller terminal software. I once was poking around in the codebase and I noticed that there was a file called "Passwords.txt," which, as the name might imply, had a list of usernames and passwords.

In plaintext.

I asked my manager about this, and he said, yeah, that was the authentication system for the bank.

I asked if he thought that might be a little, you know, insecure.

He said it wasn't a problem - bank tellers weren't smart enough to quit out of the application and find the password file. If they were that smart they wouldn't be bank tellers.

(On the plus side, that company no longer exists, and as far as I know their banking product never shipped anywhere.)

I used to work at Target not too long ago and the registers there run a modified version of Windows XP with custom load screens and there's tons of registers there that are unmanned at various times. You can easily slip by, stab in a USB drive to the front ports and force a reboot and no one is the wiser. The same can be done at the electronics register because there's normally just 1 or 2 ppl manning that area. That's the downside of taking off the shelf parts and software and just repurposing.

Why wouldn't the USB ports be disabled by IT? Are you sure they're active?When I contracted at Target Corporate, their IT staff was pretty competent and security focused.

I used to work at Target not too long ago and the registers there run a modified version of Windows XP with custom load screens and there's tons of registers there that are unmanned at various times. You can easily slip by, stab in a USB drive to the front ports and force a reboot and no one is the wiser. The same can be done at the electronics register because there's normally just 1 or 2 ppl manning that area. That's the downside of taking off the shelf parts and software and just repurposing.

Why wouldn't the USB ports be disabled by IT? Are you sure they're active?When I contracted at Target Corporate, their IT staff was pretty competent and security focused.

If they are running XP Pro or XP Embedded, the only way to lock off the USB ports is to disable the drivers and shutoff Plug n Play. In the Windows XP Embedded version, don't load the USB port drivers into the OS image and either turn Plug-n-Play off or (preferred method >)don't load it into the OS image at all. Windows Embedded POS has even more options for locking the USB ports. Security updates can be pushed to the Embedded devices but often aren't since it requires considerable testing to verify the need for the update. XP Embedded and Embedded POS often use modified versions of the original XP system files that the standard XP Pro security patches don't match precisely.

On large enterprise systems (like Target), Operating system images on POS machines are usually downloaded to the POS on bootup using PXE. That's a "one-way" process, POS images are never saved from a register onto the PXE server. The register OS image is held secure on a server somewhere in the store. If the image gets updated, the image usually gets replaced in total from some central IT repository onto the in-store server. The next reboot on the POS register updates the POS. That limits damage from a malware package.

I work for a company that produces retail analytics software, and we have software agents that run on tills. I could write pages of gripes about EPOS software and tills.

The majority of tills we see are XP based, though we have encountered tills running NT4 and 98SE. These machines are rarely patched, auto-updates are generally turned off and there isn't any form of centralised patch management. In addition to this, a lot of them do not run any form of AV.

I'm only surprised that it's taken this long for malware that specifically targets tills to surface. I'm even more surprised that they're not more common.

From the retailer side, I can tell you that my POS vendor purposely shuts off security features and OS updates because they "interfere" with the functioning of the POS software.

My vendor does too little patch management for the POS, no patch management for the OS, nor do they certify or recommend security appliances or antivirus packages.

I've walked into my stores and found my antivirus software uninstalled because it was perceived to be a problem by a service tech. After which, I informed them that I could take my business elsewhere.

The POS system still relies on inherently insecure Windows file sharing, which means a worm can traverse my network in no time flat. And don't get me started about them using WEP and stupidly easy passwords on WiFi.

The POS lanes also uses super-slow hardware, with too little memory, making it nearly impossible to run AV, or other security, on the lanes.

I impose security constraints on them, as much as I can. I am contemplating splitting my networks, and isolating the POS as much as possible.

Frankly, with my POS vendor taking the anti-security stands that they do, some of which are in direct defiance of PCI, I'm not quite sure which way to go.

Sounds like you need a new POS vendor and also you need to perform some due diligence. It may just simply cost you more to find a vendor that is PCI compliant.

First starting point is find one that uses an encrypted swipe that is tied to the processing gateway. That way customer cards are encrypted from the time they hit the read head to the time they pass through the gateway.